Hot!ERR_SSL_PROTOCOL_ERROR on Google Chrome

Author
sforbus@atljewishacademy.org
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2019/08/08 10:48:00
  • Status: offline
2019/08/13 08:40:20 (permalink)
0

ERR_SSL_PROTOCOL_ERROR on Google Chrome

We are having a bizarre problem since updating to 6.2.1 (we updated due to a memory leak issue in 6.2.0).
 
Certain sites are giving us a ERR_SSL_PROTOCOL_ERROR only in Google Chrome. I have tried all the usual troubleshooting for this error, but the only thing that fixes it is restarting the fortigate. Two sites (facebook.com and login.renweb.com) both use TLS 1.3, but we can get to facebook without a problem and we cannot get to the other site. After rebooting the device, it works for several days and then starts behaving poorly again.
 
Other browsers work fine, including Internet Explorer, Edge (not Chromium based) and Firefox.
 
I have attempted to disable SSL certificate inspection, but that does not seem to affect the problem one way or another. I also tried putting the fortigate back on its factory certificate.
 
My next step will be to revert to 6.0 branch, where I did not experience this issue, but I figured I would post first to see if anyone had similar experiences.
 
#1

11 Replies Related Threads

    dxnet
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/19 23:18:08
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/19 23:26:32 (permalink)
    0
    Firmware 6.2.1 I have similar error, cant open https://www.whatsapp.com/ in Google Chrome, in IE works.
    I add exempt for ssl inspection (wildcard *.whatsapp.com), but it doesn't work. whatsapp in chrome works only ssl deep inspection is disabled
    post edited by dxnet - 2019/08/19 23:52:10
    #2
    sforbus@atljewishacademy.org
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/08 10:48:00
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/20 04:19:36 (permalink)
    0
    I have solved the problem by downgrading back to 6.0.5, I believe. It has been a couple of days and this problem has not resurfaced. I will see if it happens again.
    #3
    bbilut
    New Member
    • Total Posts : 10
    • Scores: 2
    • Reward points: 0
    • Joined: 2019/07/29 07:01:03
    • Location: Chicago Area
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/20 05:23:32 (permalink)
    0
    Have you tried disabling QUIC protocol in Chrome?
    #4
    dxnet
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/19 23:18:08
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/21 02:37:58 (permalink)
    0
    I tried to disable QUIC, but it doesn't resolve problem
    also doesn't work https://serverfault.com/ and I add exempt for ssl inspection *.serverfault.com too
    And I noticed that I can't open this sites in Mozilla too.
    Works only in ie, edge
    #5
    dxnet
    New Member
    • Total Posts : 5
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/19 23:18:08
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/24 02:07:50 (permalink)
    0
    So, I've solved the problem by downgrrading back to 6.2.0 (build 0866), ssl in Chrome works on all sites, where I had problem. (whatsapp.comhttps://serverfault.com)
    #6
    kingD
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/30 07:53:05
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/30 07:58:28 (permalink)
    0
    I configured an url filtering that works only with IE.
    Chroom lets all the https traffic pass
    #7
    marcrp
    New Member
    • Total Posts : 1
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/08/30 08:55:39
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/30 08:58:47 (permalink)
    0
    We are experiencing the same issue too since upgrading to 6.2.1.
     
    Although for us it seems to be only affecting IE11 and we randomly get the error "Can’t connect securely to this page" "Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to"
     
    The only work around is to create a rule with no AV inspection and put the site we are having issues with as the destination and it seems to work. 
     
    I think I will be reverting to 6.2.0 as I have so many random sites that aren't working for us.
     
     
    #8
    seadave
    Expert Member
    • Total Posts : 318
    • Scores: 48
    • Reward points: 0
    • Joined: 2004/11/03 18:02:09
    • Location: Seattle, WA
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/08/31 19:45:11 (permalink)
    4 (1)
    TLS 1.3 is a different beast.  Can't tell from the bottom of this page if MiTM TLS 1.3 is only supported in Flow Based inspection or also in Proxy mode (which most people use).  You may need to change from proxy to flow.
     
    https://docs.fortinet.com/document/fortigate/6.2.0/new-features/35927/tls-1-3-support
     
    One other issue we ran into when doing major version upgrades is to ensure your CA cert used for MiTM is not using a weak signing algorithm such as SHA1.  Make sure you generate a self signed one that is at least 2048bits using SHA256 if RSA and 384bits if using ECDHE.
     
    We have found some domains that use HSTS (cert pining), those will not accept a connection that is broken by a proxy.  We had to create a rule to exempt such domains from filtering if they were legitimate for business.
     
    Finally, I wouldn't be using 6.2.X in production yet and I'd only use it on devices bigger than E series with a model number greater than 100.  Other models are prone to fault due to minimal RAM and CPU resources.  6.2 is still very new.  We are running 6.0.5 in production and it has proven to be very stable on 501Es
    post edited by seadave - 2019/08/31 19:56:27
    #9
    GregAndo
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/02 21:56:24
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/09/02 22:00:48 (permalink)
    0
    Things were going okay, but now we are beginning to see this too after having run for a few days.  I am not sure how far reaching it is, but, ironically, it is affecting my ability to log into the FortiGate web interfaces of my fleet, which are a mix of 6.0 and 6.2.1
     
    Has anyone been able to isolate the cause?  What about a temporary resolution that doesn't require a reboot?
    #10
    tracyb
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/02 21:01:57
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/09/03 13:44:08 (permalink)
    0
    I just posted “Weak impersonation certificates blocking access to sites using ECC certificates”, then saw this post.  The two are possibly related.
    #11
    GregAndo
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2019/09/02 21:56:24
    • Status: offline
    Re: ERR_SSL_PROTOCOL_ERROR on Google Chrome 2019/09/03 18:35:24 (permalink)
    0
    Okay, I have been digging into this a little more and I think I have some leads.  Seadave is on point with proxy vs flow mode in my testing.  I found that AV, certificate settings, or any other security profiles made no difference being enabled or disabled.  I am interested to hear from anyone who has a situation different to this.  I expect to be affected, you will need to be using:
     
    - Proxy mode in the policy
    - HTTP proxy in the proxy profile (on port 80 in my case which is confusing for a secure site?)
     
    Since you can now choose Flow Based vs Proxy on a per policy level now in 6.2 - you have a couple of work around options.
     
    1. When the issue starts occurring, access the device CLI and execute the following command to restart the proxy service:
     
    diagnose test application wad 99
     
    I ran this command in the middle of the day without noticing any problems, but use this at your own risk!
     
    2. Reboot the firewall
    3. Create a new copy of the policy above the affected policy, targeting affected destination websites IP addresses (least impact on security, but a pain to manage).  Set this policy to flow mode or use a proxy policy that has HTTP proxy disabled.
    4. Create a new policy using a proxy policy that has HTTP disabled and apply this to the proxy settings on the affected firewall policy.
    5. Change the policy from proxy to flow mode.
     
    Obviously you will need to consider how the reduction in protection affects your risk, and don't forget to change back after the issue is resolved in a future firmware update.  Hope this helps.
     
    We are pushing on this because we really want to leverage new features in 6.2 - Please fix this soon FortiNet!
     
    Hope this helps, please consider giving me a vote if you found this useful!
     
    post edited by GregAndo - 2019/09/04 17:00:50
    #12
    Jump to:
    © 2019 APG vNext Commercial Version 5.5